OCR Fines Ransomware Victim due to HIPAA breaches: Doctors' Management Services (DMS), a management company that serves as a business associate of covered entity physician practices, has been fined $100,000 by OCR for failure to do a sufficient Security Risk Analysis (SRA), lack of policies and procedures, and failure to monitor system activity (all the usual suspects).
DMS was itself a victim: a criminal hacker caused the incident. But DMS still got hit with a big fine because they didn't take the steps needed to avoid being a victim in the first place.
Some covered entities that are ransomware victims get fined, and others don't. Both groups suffer from the incident, but the second group (ones with good SRAs, policies and procedures, and monitoring) is much less likely to get fined. Just ask me -- I have personal experience with this!
UPDATE: Thanks to Theresa Defino at Report on Patient Privacy, DMS has had a chance to tell their side of the story. As I noted in my original post, DMS was a victim here. I noted that "they didn't take the steps," based on OCR's press release. Now, I'm thinking maybe OCR overreacted, but I haven't actually talked to DMS.
The point here, though, is that OCR's stated list of wrongdoing is the same list that's applicable to almost every other case involving a fine (other than the access cases). You want to be able to prove that you have done your SRA, have good policies that you follow, and monitor your system activity.